Event logs archiving with GPO

In some environments the company policy requires that security logs of Domain Controllers are configured to retain information X days into the past. Requiring such a setting means 2 things:

You can not configure the Event Log to override events as needed (if the log reaches it’s maximal size)

The log file can grow to a rather large size (the default is 512KB, but if you retain logs you have probably changed that)

One of the things that can help you in this situation is automating the process of opening a new security log file when the maximum size limit is reached.

Below you will find an Administrative Template (.ADM file) that does exactly that: the moment the file size limit is reached, the server archives the security log and opens a fresh one.

I’ll quote:

Using this entry causes the Event Log service to automatically clear a full event log and to back-up the log file. On computers with the “CrashOnAuditFail” policy turned on, the computer continues to log events (instead of hanging because of an audit failure) if the current log file can be backed up automatically. By default, event logs are stored in the %SystemRoot%\System32\Config folder. If you enable this setting, a full log file is automatically backed up in the %SystemRoot%\System32\Config folder, the log file is cleared, and event logging resumes.

If you are still wondering what I am talking about, lets have a look at the following example:

The company’s policy requirement is to retain security events for 60 days.

The environment is rather big and the logs quickly grow.

You configure the maximum security log size to rather large number (maximum is 4GB), but still this is not enough to accommodate 60 days of events (and if you are not aware, if you hit the max size limit and your server is not configured to override the events as needed, the server will enter the “Crash” mode – it will stop providing services).

Working with very large logs is very painful – the Event Viewer will just crawl.

So what do you do? You configure the maximum log size to rather reasonable number (lets say 128MB) and use the Administrative Template attached below to configure the server to open a new log when it hits the 128MB limit. The even log will be saved in %SystemRoot%\System32\Config folder with timestamp suffix and a new log will be opened.

You can later collect those files to a central location or configure a job to prune files older than 60 days.

Add the new Administrative Template to a new or to an existing GPO, then look for the settings under Computer Configuration > Administrative Templates > System > Event Viewer. The new settings are quite self explanatory.

Links

MEMBER LOGIN:

BECOME A PETRI MEMBER:

About the Contributor

Daniel Petri is a world-known IT professional, technical trainer and creator of one of the world’s largest IT knowledge bases – www.petri.com. Daniel consults to leading global Fortune 1000 companies in Microsoft IT Infrastructure and Engineering strategies.

For his contribution to the IT Pro community Daniel has received the Microsoft Most Valuable Professional (MVP) award for the 14th time. Daniel’s professional certifications include Microsoft Certified Technology Specialist, Microsoft Certified Systems Engineer, Microsoft Certified System Administrator and Microsoft Certified Trainer.

While working for Microsoft, Daniel serves as a Senior Premier Field Engineer (PFE) specializing in Windows Server OS and Active Directory.
Daniel now works for ObserveIT, makers of the Insider Threat Detection software, where he holds the role of Senior Solutions Architect, where he manages large deployment projects and partner and customer training programs.

In his spare time, Daniel rides a 1200cc 2015 model Ducati Multistrada 1200S bike and manages the Israeli Bikers forum.